我的书签
添加书签
移除书签目标
这部分我们创建k8s需要的证书.
功能关系
| 软件 | 证书 | 备注 | |
|---|---|---|---|
| kube-apiserver | ca.pem ca-key.pem kubernetes.pem kubernetes-key.pem |
||
| kube-controller-manager | ca.pem ca-key.pem |
||
| kube-scheduler | |||
| kubelet | ca.pem 节点证书 |
以Node1.k8s示例,需要 Node1.k8s.com-key.pem Node1.k8s.com.pem 同时自动生成: Node1.ks.com.kubeconfig |
|
| kube-proxy | ca.pem kube-proxy-key.pem kube-proxy.pem |
||
| kubectl | ca.pem admin.pem admin-key.pem |
||
| dashboard | dashboard.pem dashboard-key.pem |
创建ca
创建ca配置文件:ca-config.json
{"signing": {"default": {"expiry": "43800h"},"profiles": {"kubernetes": {"usages": ["signing", "key encipherment", "server auth", "client auth"],"expiry": "43800h"}}}}
创建ca证书签名请求文件:ca-csr.json
{"CN": "Kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Shandong","L": "JiNan","O": "Kubernetes","OU": "CA"}]}
创建ca证书,私钥,证书请求文件
Shell># cfssl gencert -initca ca-csr.json | cfssljson -bare ca
API server证书
目的: 给apiservice使用
创建证书签名文件:kubernetes-csr.json
{"CN": "kubernetes","hosts": ["127.0.0.1","10.10.1.20","10.10.1.21","10.10.1.22","10.10.1.23","10.254.0.1","master.k8s.com","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "JiNan","O": "Kubernetes","OU": "Kubernetes","ST": "Shandong"}]}
生成证书
Shell>#cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kubernetes-csr.json | cfssljson -bare kubernetes
kubelet 证书
目标: 给kubelet 与apiserver 连接式做身份认证使用。
说明:
创建证书签名文件,每个节点都会有一个自己的证书,证书名称使用自己的主机名称。其中CN中要包含主机名称。
创建列表文件,名称为node.list
#hostname@ipaddrs(ip1,ip2,ip3)Node1.k8s.com@10.10.1.31Node2.k8s.com@10.10.1.32Node3.k8s.com@10.10.1.33,10.10.1.34
创建脚本 node.sh
#!/bin/bashHostName=(`cat nodes.list | grep -v '#' | awk -F '@' '{print $1}'`)HostNUM="${#HostName[*]}"#echo $HostNUMips=(`cat nodes.list | grep -v '#' | awk -F '@' '{print $2}'`)for ((i=0; i < $HostNUM; i++)) ; doinstance=${HostName[$i]}cat > ${instance}-csr.json <<EOF{"CN": "system:node:${instance}","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "JiNan","O": "system:nodes","OU": "Kubernetes","ST": "Shandong"}]}EOFNODE_IP=${ips[$i]}echo ${instance}cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-hostname=${instance},${NODE_IP},'127.0.0.1' \-profile=kubernetes \${instance}-csr.json | cfssljson -bare ${instance}#make kubeconfig filekubectl config set-cluster kubernetes \--certificate-authority=ca.pem \--embed-certs=true \--server=https://master.k8s.com \--kubeconfig=${instance}.kubeconfigkubectl config set-credentials system:node:${instance} \--client-certificate=${instance}.pem \--client-key=${instance}-key.pem \--embed-certs=true \--kubeconfig=${instance}.kubeconfigkubectl config set-context default \--cluster=kubernetes \--user=system:node:${instance} \--kubeconfig=${instance}.kubeconfigkubectl config use-context default --kubeconfig=${instance}.kubeconfigdone
kube-proxy 证书
创建证书签名文件:kube-proxy-csr.json
{"CN": "system:kube-proxy","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "JiNan","O": "system:node-proxier","OU": "Kubernetes","ST": "Shandong"}]}
生成证书
Shell>#cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \kube-proxy-csr.json | cfssljson -bare kube-proxy
管理员证书
创建证书签名文件:admin-csr.json
{"CN": "admin","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "JiNan","O": "system:masters","OU": "Kubernetes","ST": "Shandong"}]}
生成管理员证书
Shell>#cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \admin-csr.json | cfssljson -bare admin
dashboard证书
创建证书签名文件:dashboard-csr.json
{"CN": "dashboard","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "JiNan","O": "system:masters","OU": "Kubernetes","ST": "Shandong"}]}
生成dashboard证书
Shell>#cfssl gencert \-ca=ca.pem \-ca-key=ca-key.pem \-config=ca-config.json \-profile=kubernetes \admin-csr.json | cfssljson -bare dashboard
